GSSAPI - context lifetime

Nicolas Williams Nicolas.Williams at
Thu May 29 17:49:49 EDT 2008

On Thu, May 29, 2008 at 05:35:20PM -0400, Jeffrey Altman wrote:
> If a service wants to force new authentications after some period of 
> time that is perfectly reasonable.  However, I do not believe it is 
> appropriate for the GSS-API to force periodic and arbitrary 
> authentications on all protocols that happen to make use of GSSAPI
> with a Kerberos v5 mechanism.
> I would very much like to see this restriction removed.

I agree.  Ideally GSS_S_CONTEXT_EXPIRED should be seen as an advisory
major status code, or even as a minor status code to go with
GSS_S_COMPLETE.  I.e., gss_get_mic() should succeed but still tell you
that the context expired.  This would be particularly useful in the
context of overused keys.

I agree: the app should be in charge of deciding whether the context
expiration is relevant.  But that doesn't mean that apps that would want
to drop connections when tickets expire do so explicitly, and making
this change might break them (but I don't mind doing so).


More information about the krbdev mailing list